WinRM Forkbomb Demo
Research project demonstrating how Ansible's WinRM connection model causes a "forkbomb"
of authentication failures that exhaust Windows shell quotas and trigger Active Directory
account lockouts.
The Problem
Ansible forks=50 x 15 tasks/role = 750 WinRM shell attempts
Windows MaxShellsPerUser = 30 -> 720 failures
Each failure = failed NTLM auth -> AD lockout after 5 failures
Key Sections
Quick Start
direnv allow # Enter nix dev shell
just setup # Install deps + collections
sops secrets/winrm-creds.enc.yaml # Configure credentials
just tunnel-start # SSH tunnel to win-target
just audit # Verify connectivity + baseline quotas
# Demo the forkbomb
just benchmark-safe # forks=5, works fine
just benchmark-unsafe # forks=50, demonstrates the problem
just deploy-quotas # Apply the fix (raise quotas)
just benchmark-unsafe # forks=50, now works!
just benchmark-psrp # Compare pypsrp connection behavior
Stack
| Component |
Purpose |
| Nix flake + direnv |
Reproducible dev shell |
| UV + pyproject.toml |
Python 3.13 dependency management |
| Dhall |
Type-safe configuration generation |
| SOPS + age |
Encrypted credential management |
| Ansible + Molecule |
Infrastructure automation and testing |
| just |
Task orchestration |
Roles
| Role |
Purpose |
Tags |
winrm_quota_config |
Raise WinRM shell quotas (admin toggle) |
winrm-quota |
winrm_session_cleanup |
Detect + terminate stale sessions |
winrm-cleanup |
firewall_rules |
Windows firewall for IIS/WinRM |
firewall |
iis_site |
Demo IIS site displaying repo contents |
iis-site |